To what level do you personally scrutinize links in emails?
July 17, 2019 1:18 PM   Subscribe

When you receive an email with a link in it, what is your process for determining if it's safe to click on? I'm familiar with basic security policies like "don't click on links from senders you don't know" but what, if anything, should or could be done beyond that?

(I realize my question is coming from a place of anxiety. I'm working on that.)

About an hour ago I received an email from Google (no-reply@accounts.google.com) notifying me that one of my secondary email accounts was deleted* due to a Terms of Service violation. Part of the email contained the text "To attempt to restore access to the account, please visit our account recovery page immediately." where account recovery page was a link to a webpage beginning with accounts.google.com.

I gave some thought as to whether I should click on the link or not. The email address where I received the email is my primary email address and the primary and the secondary address were both listed in the text of the email. The sender email address matched the the sender of other security emails I've received from Google (although I'm aware that sender email addresses can be spoofed). The Mailed By and Signed By values also matched other security emails sent by Google. I hovered over the link and saw that it went to accounts.google.com. I logged into my primary email/Google account to see if there was a way to start the account recovery process without clicking the link but I didn't find one.

The end result is that I clicked on the link. (After confirming that 2 factor authentication was enabled on my primary Google account.) The webpage was unable to help me recover my secondary email account but beyond that I'm having trouble shaking the feeling that I shouldn't have clicked on the link at all. (Additional factor probably being that I checked this email in a browser on my work computer and would hate to think I compromised my fairly new work computer.) I was able to see the URL and could have entered it manually to go to the webpage.

TLDR, and the main actual question: what is your personal process for determining if a link in an email is safe to click on? Beyond the basic advice about phishing emails, how do you stay vigilant against potentially malicious links? Does this process differ when using your phone or your computer?

I find myself becoming more and more suspicious of any links in emails but they are an unavoidable part of personal and business emails so I must find better ways of managing both the actual potential threat and the anxiety around not being safe enough.

Thank you for your time.



*(The deletion is a whole other story. It was an email account I set up to sign up for a Twitter account. The purpose of the Twitter account was to write parody weather report tweets. It's an odd situation I've never encountered before but it will be okay if I can't recover the email account.)
posted by heywheresperry to Computers & Internet (25 answers total) 5 users marked this as a favorite
 
what is your personal process for determining if a link in an email is safe to click on?

I decide if I think the reason for the link to be there is valid, and if so, I will go and find the location on my own. So, in your case, I'd have gone to google through my usual route and tried to find the link there. If I get a banking email with a link, I log into the banking portal independently and hope it shows up there., etc etc.

Alternatively, if that didn't work (as in your case) I either decide it wasn't that important or "I was able to see the URL and could have entered it manually to go to the webpage." seems like it would be ok as long as you can confirm the address. So, in step one above, look at the likely web page and manually type it in if it seems similar.
posted by Brockles at 1:35 PM on July 17 [8 favorites]


If it is a link like your example which goes to a page of a service you trust, I would either manually re-type the URL myself or go to their homepage and attempt to navigate to end page. It's easy to make URLs look correct but in actuality go somewhere else - for example.
posted by mustardayonnaise at 1:38 PM on July 17 [8 favorites]


My personal decision tree:

1. Did I do something that would trigger this email to be sent to me (register for something, buy something, change something on an account somewhere, etc)?
2. Do I have an account with the service purportedly sending this email, even if I didn't do something to trigger it?
3. Is the email formatted the way I would expect it to be - non-pixelated logo, sentences put together intelligently, everything spelled/punctuated correctly, etc?

If the answer to #1 is yes, I click on the link. If the answer to any two of those questions is yes, I will also click on the link. If I'm unsure, I'll note the URL, and then enter the root of the link into the search bar (ebay.com as opposed to ebay.com/blahblah/afewofjawehornqv49786345.html or whatever) and see if I can get to the desired page from there.

Under no circumstances, however, will I ever open an attachment, unless I was actually expecting to receive it. Attachments are where evil lives.
posted by pdb at 1:43 PM on July 17 [3 favorites]


Depending on your browser, when you hover over a link for a couple of seconds, you should get a popup either on your cursor or at the bottom of the window saying where the link is actually going (I don't know whether there's an equivalent yet for mobile). Even so, I would still go to the actually web address by typing it manually rather than clicking a direct link.
posted by Mchelly at 1:44 PM on July 17 [1 favorite]


I tend to be pretty careful around emails with links that claim something I might care about is going to be deleted. The more urgent the email looks, the more suspicious I get. But if the email is of a more routine nature, I tend to be more careless.

When I am suspicious of an email, I will hover over the link and see if the domain that pops up matches what I expect it to be. In my experience doing IT work, most scam emails these days take advantage of hacked Wordpress installations, so it'll be something completely unrelated to the domain the email is ostensibly coming from.

If it looks like it's going to the right place and I still feel suspicious, I will try to log into the site but not use the link in the email. If my account is about to be deleted, there should be a big banner saying "hey there's a problem" when I log in.

All of that to say, I think you did your due diligence here. If I were your IT person at your company, I would not be worried about your computer.
posted by JDHarper at 1:49 PM on July 17


A lot of times the links come in emails that seem "off" in some way; they have typos, they are from people or companies I've never heard of before, they're from people I knew from a play I worked on seven years ago and then never talked to again and I'm one of about 5 random strangers cc'd on the email, etc. Those i never open.

If it's from a company I do business with, I take a bit of a close look at the email to see if I see any anomalies compared to other emails I receive from them (does the logo appear a little blurry? Is the language different?). If it seems suspicious, I will go to the main web page myself and check out the thing they're asking about; i.e., if it's a message from my bank saying "you need to update your address on your account, click here", I instead go to my bank web site's main page and log on, then check my address in my profile that way instead of clicking on the link.

If you want to be extra safe, there are apps and sites that will check out a link for you with a copy-and-paste. I used to use those to double-check things when in doubt.
posted by EmpressCallipygos at 1:49 PM on July 17 [2 favorites]


I hover and scrutinize the destination URL. If it's legit, I click.
posted by DarlingBri at 1:54 PM on July 17 [2 favorites]


If an email smells at all fishy, I first check to see what the actual url the link points to is. I will also take a look at the long headers (or, sometimes the entire source) and see if anything draws my attention.

Generally speaking, though, I pretty much never click on a link in an email unless I am unwaveringly certain it’s from a trusted source. And, even then, I might check under the hood. I have a couple of relatives who seem utterly incapable of keeping their email accounts secure.
posted by Thorzdad at 2:17 PM on July 17


I work with computers for a job. I use gmail for my email. I have a Mac. I click on basically any link I have reason to believe is legit after hovering over it. This is not foolproof, there are ways you can be snookered by links that look legit but aren't, but I've found in most cases, it's not so much clicking on links as what you do with the page the link goes to. Gmail is good at ferreting out spam and phishing and Macs are good at not getting pwned by link clicking.Maybe I've been lucky so far but it's more important to me to not worry about this than to make sure I'm being as careful as possble. If I was on a work comptuer that was not mine, i might feel differently.

I tend to be pretty careful around emails with links that claim something I might care about is going to be deleted.

Exactly. I pay attention to the tone of the email and the urgency of it. One of the things many scams have in common is that the tone is off (something different than just "I am a boring no-reply email account giving you information) or the urgency is ratcheted "Reply SOON or something BAD will HAPPEN" and those both send up red flags for me.
posted by jessamyn at 2:19 PM on July 17 [2 favorites]


I use Apple's Mail app. I hover over a link and if it looks legit and I want to click on it, I click on it. I always perform this check.
posted by adamrice at 2:23 PM on July 17 [1 favorite]


Hardly ever open links from email but,
After if I don't know the sender, and increasingly even if I do:

Bad grammar and typos are my first flag.

Anything with an odd domain, for me safer domains are nz, au, hi.

Copy url into notepad to check it.

Open in a secure browser eg epic

Using outlook 2016
posted by unearthed at 2:34 PM on July 17


Anything that requests log-in credentials: I find the site on my own. I'm savvy enough to pay attention to URLs but this is safer than expecting myself to always pay attention.

If it's something like an email verification message for a service that I just signed up for, I'll click.
posted by Kutsuwamushi at 2:47 PM on July 17 [2 favorites]


Turning off images in emails seems to be quite effective for me - the spammers can't rely on making their emails 'look official' if you never see the images they're using. (This also has the side benefit of preventing email tracking by the sender).

(The next stage of this is turning off html email altogether, but not all emails are readable in text-only.)

Secondly, I always hover over every link to see where it actually leads. URL shorteners & domains that don’t match the URL in the visible text are both tells for suspect links.
posted by pharm at 3:02 PM on July 17 [1 favorite]


My process for an email link that's inconvenient to avoid clicking:

- Hover over the link and make sure the domain looks right
- Check the opened link and make sure it still looks right (e.g., it didn't use an open redirect to bounce to another url after opening)
- If I have to enter a password, use 1Password autofill, which will only fill into recognized domains. If the password refuses to autofill, that's a good nudge to back up and try Google (though it might just be a normal autofill problem).
- Use an up-to-date browser and up-to-date OS, which means I'm only susceptible to high-value exploits that aren't likely to be used on regular people, and thus don't have to worry about just visiting a sketchy page without doing anything.

The 1Password step is one of the big plus sides of using a password manager (besides speeding up your logins and protecting you from password reuse problems) -- rather than trust your human eyeballs, you can trust the password manager not to fill into a plausible but wrong domain.
posted by john hadron collider at 3:05 PM on July 17


where account recovery page was a link to a webpage beginning with accounts.google.com.

So, fundamentally, "beginning with" can mean two things. I apologize if I'm going into beginner things that you already know.

At its core, a URL consists of a hostname (the computer(s) a website sits on) followed by the path to the document or webpage you're looking at. The first suspicious thing I look at is, "does the entity this is supposedly from own the host that I'm being sent to?"

Was the url something like "accounts.google.com/fixmyproblem" or something like "accounts.google.com.fixmyproblem.suhkauhekjddkue.badguy.com/fixmyproblem"? That forward slash (/) is the key - it tells you where the hostname ends and the file path begins. The first example I gave goes to the file or page "fixmyproblem" on the host "accounts.google.com" which is (barring some kind of actual issue at Google that would have made news) owned by Google. The second example starts with accounts.google.com, but it's actually a hostname belonging to 'badguy.com', and that's really probably not the place you want to go.
posted by hanov3r at 3:22 PM on July 17 [4 favorites]


  • Make sure your MUA is configured in such a way that it does not automatically load inline images or other content without a separate, explicit action on your part. If your email client loads images automatically as soon as you open the email, you just "clicked the link". In other words, if your software gets a bunch of bytes from who knows where, it should show you those bytes, not do what those bytes say to do.
  • Look at the sender, the subject and the text content of the message. Do I recognize them? Do they make sense? Is there a logical (non-scam) reason this person or company would be sending me email?
  • Is the mail apparently from a person or business that is well-known and might be a likely target of impersonation? If so, that calls for extra scrutiny?
  • Is the content click-baity? Does it say an account has been closed or compromised or that I've won something? Almost certainly garbage.
  • Is there an attachment? Probably junk expect for very specific limited cases I know about in advance. The number of legitimate encrypted .zip or .rar files attached to emails, in the entire history of computing, is zero. These are always, always malware being ineptly hidden from virus scanners.
  • Mouse-over the link or examine source. Does the link actually go where the link text implies it does? (Don't trust this too much -- domain internationalization means you can create a URL for a domain that visually looks like -- say -- amazon.com but is a totally different string.)
  • Don't ever click a link that involves credentials or money, even if it looks OK. Type the domain into your browser or a search engine. (This is kind of like talking to your credit card company on the phone. You always initiate the call.)
  • If you do click through, use a browser configured according to best practices. (That means no IE, no Edge, no Java, no Flash, Javascript blocked by default, ads blocked by default, tracking blocked by default.)

posted by sourcequench at 3:33 PM on July 17 [1 favorite]


As far as I'm concerned, any subdomain of the correct TLD is trustworthy. So I would click "accounts.google.com" or "support.paypal.com", but not "accounts.receivable-google.com"
posted by humboldt32 at 4:08 PM on July 17 [1 favorite]


Adding to the excellent advice above: For a desktop browser, you can right-click the link and choose "Copy link location" (or similar), then paste it into a text editor to look it over and check whether the supposed top-level domain really is correct or only superficially similar. Sometimes the first ".com" in the link isn't really the ending of the top level domain, for example: some.google.domain.com-blah-blah-blah.com/ - i.e. the .com before the / is the real end of the domain name.
posted by Greg_Ace at 4:44 PM on July 17 [1 favorite]


Also, in my Android browser or Gmail app I can press and hold a link to get a pop-up showing the full URL and options for what I want to do next. I can click Back to close that window without actually following the link at all.
posted by Greg_Ace at 4:46 PM on July 17


One more thing I should have included above: I never click through link-shortened URLs in email. In the context of an email, there's no conceivable reason to use a link-shortening service except to obscure where the link actually goes. Even if I know and trust the sender and the email is relevant to prior communications we've had, I ain't playin'.
posted by sourcequench at 5:04 PM on July 17 [1 favorite]


My process, if the email is suspicious in ways that have already been discussed:

1) Open the link in an incognito window in an up-to-date browser like Chrome or Firefox.

2) Poke around a little bit to see how sophisticated the scam is, maybe inspect source and/or take screenshots. If it somehow isn't a scam, complain to the legitimate company sending extremely sketchy emails and stop here.

3) switch to email, report the message as a scam or phishing attempt, and/or forward it to the email admins or infosec team if this is a work/school/other big organization email account.

4) switch back to scam website, figure out the actual domain name and TLD, in http://accounts.google.com.scarybadguys.internet.website/weirdnonsense/morenonsense, that's internet.website, in http://butt.church it's butt.church, in something like http://park.io/this/that/theotherthing/^#$TWgs/andSoOn/website.com&somenonsense=2351&whatever=62833%^plkaer/and%20all%20that%20jazz it's park.io

5) go to that site in new incognito tab, poke around for "report a problem" or "contact admin" type links, if they exist, report the scam website as a scam website and stop here.

6) if there's no way to report things at the domain name and TLD, poke around with DNS and other tools to figure out who or what is hosting the site and capable of receiving a complaint. send complaint.

Hosting services and ISPs really don't want to enable crimes, sliminess, or hacking, almost any of the time, and will often get rid of the scam site sooner or later.
posted by bagel at 5:06 PM on July 17


seriously a lot of people feel real bad and scared about maybe clicking something wrong and then, like, YOUR COMPUTER ASPLODE. Quite frequently nowadays you click something wrong and go to a website trying to get your password by having a field marked Officil E-Mail:, a field marked Password:, and a janky pixelated image of your organization's logo. That, or the website is autoplaying an infomercial about the tremendous excellence of a very extremely legitimate and not at all fake product that will cure your baldness, increase your bust size, and allow you to become a millionaire in four weeks.
posted by bagel at 5:15 PM on July 17


Being more paranoid then the above, I copy the link from wherever, paste it into the address bar and inspect it to see if I like it before pressing Go. This is also not entirely foolproof, but it prevents anyone gaming the hover-over link (and certain mail clients don't seem to do the hover over link anyway).
posted by How much is that froggie in the window at 6:44 PM on July 17


> I copy the link from wherever, paste it into the address bar and inspect it to see if I like it before pressing Go. This is also not entirely foolproof, but it prevents anyone gaming the hover-over link [...]

It doesn't prevent anyone gaming the link.

Maybe it says g o greek-omicron g l e dot com, and you think it says google.com. (On preview, metafilter wisely prevents me showing you an actual live example of this. That's a good thing.)
posted by sourcequench at 7:15 PM on July 17


I never click links unless it's a link I was expecting to get emailed to me - usually a registration confirmation or a password reset. Otherwise I navigate to what the site is supposed to be directly/use a search engine to find where it claims to go.
posted by Zalzidrax at 8:07 PM on July 17 [1 favorite]


« Older Be My Guitar Data Hero   |   Give me your best (short) message to inspire... Newer »

You are not logged in, either login or create an account to post comments